Reporting Report-Only Conditional Access Rule

There’s not a good way to report on results of a report-only conditional access rule. As of writing this post, you have to look at the result of the rule by digging into each user which can be tedious.

There is a better way to report and it’s through Log Analytics via Kusto Query Language (KQL).

First, you will need to send your Azure AD data to Log Analytics. This requires setting up Azure AD Insights and sendings Azure AD sign in logs to Log Analytics.

After that, run the following KQL query to get a list of all singins that would be affected by the report-only conditional access policy. In this instance, we are looking for all sign-ins where the report-only conditional access was succesfullly applied.

1
2
3
4
5
6
SigninLogs
| project ConditionalAccessPolicies, UserDisplayName, AppDisplayName
| where ConditionalAccessPolicies != "[]"
| mv-expand ConditionalAccessPolicies
| extend result = ConditionalAccessPolicies["result"], CAName = ConditionalAccessPolicies["displayName"]| project-away ConditionalAccessPolicies
| where result == "reportOnlySuccess"